Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Sep 2011 00:52:38 +0200
From: magnum <>
Subject: Re: Rewrite of the pkzip format posted (on the wiki).

On 2011-09-10 23:18, JimF wrote:
> If there is problems you find (or a patch I have left out, as it appears
> may have happened from a post you made a little after this one), then
> post them, if at all possible. I will try to work through any issues as
> soon as I have time.

Wiki is updated. Here is what I had to do, to get that last zipfile cracked.

Both of the tests affected in the enclosed patch clearly gave false 
negatives on However, there *might* be 
better ways than just commenting them out like I did. In this case, C 
was 80 (decimal) in the first test and v1 was 0x034b while v2 was 0x1404 
(v2^0xffff was 0xebfb). We might be able to put these back with some 
correction for what is valid or not. If not, there are some more code 
that should be commented out 'cause it's currently unnecessary.

OTOH I don't see much of a performance hit. But I do not possess any 
1-byte checksum zipfiles. These checks are the fourth and fifth so lots 
of false positives are already sorted.

Anyways, I believe this must be in until we get something better.


diff --git a/src/pkzip_fmt_plug.c b/src/pkzip_fmt_plug.c
index 6ee66d9..3a800b5 100644
--- a/src/pkzip_fmt_plug.c
+++ b/src/pkzip_fmt_plug.c
@@ -1312,8 +1312,8 @@ SkipKeyLoadInit:;
 			SigChecked = 0;
 			if ( (C & 6) == 0) {
 				// Check that checksum2 is 0 or 1.  If not, I 'think' we can be done
-				if (C > 1)
-					goto Failed_Bailout;
+				//if (C > 1)
+					//goto Failed_Bailout;
 				// now get 4 bytes.  This is the length.  It is made up of 2 16 bit values.
 				// these 2 values are checksumed, so it is easy to tell if the data is WRONG.
 				// correct data is u16_1 == (u16_2^0xFFFF)
@@ -1326,8 +1326,8 @@ SkipKeyLoadInit:;
 				v1 = curDecryBuf[1] | (((u16)curDecryBuf[2])<<8);
 				v2 = curDecryBuf[3] | (((u16)curDecryBuf[4])<<8);
-				if (v1 != (v2^0xFFFF))
-					goto Failed_Bailout;
+				//if (v1 != (v2^0xFFFF))
+					//goto Failed_Bailout;
 				// Ok, if we have a signature, check it here, WITHOUT having to call zLib's inflate.
 				if (salt->H[cur_hash_idx].pSig->max_len) {

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ